Similar to paper mail fraud, email fraud involves a deliberate attempt by a perpetrator to defraud using email as the contact mechanism. Fraudulent emails have become a pernicious force, capturing the attention of the media, corporate executives, legislators, and consumers, and costing corporate institutions millions in information technology (“IT”) resources. Email fraud ranges from rudimentary attraction scams to more complex attempts to perpetrate online identity theft or misrepresent the brand of an established corporate entity, such as a financial institution. Financial institutions are a favorite target among perpetrators of fraud because of the potential for immediate access to monetary assets.
The most insidious and damaging varieties of email fraud incorporate two related techniques: (1) brand spoofing, and (2) phishing. Brand spoofing occurs when the perpetrator (i.e. a scammer) sends out legitimate-looking email that appears to originate from large or recognizable companies. Spoofing emails include deceptive content in the body of the message, fraudulently using the spoofed company's logo and/or using convincing text that seems to be legitimate. By hijacking brands, scammers can attract the attention of existing and potential customers of a company with the hope of manipulating them in some fashion. However, spoofing is usually not the end-goal of perpetrators of fraud. The payoff occurs when recipients are fooled into providing personal financial information which may then be peddled to other third parties who are in a position to capitalize on the information to obtain revenue. The term for such malicious attempts to collect customer information for the purpose of committing fraud is called “phishing” (pronounced “fishing”) in which criminals “fish” for financial information from an imagined sea of online consumers using fraudulent emails as the bait.
For example, an email might direct a consumer to a fraudulent website that appears to be a legitimate site. This fraudulent site might include instructions or forms that entice a consumer to provide bank accounts, addresses, social security numbers, or other private information. Such information can then be utilized by criminals to commit identity theft or steal assets from the unsuspecting consumer.
Security professionals attempt to diminish the impact of phishing through user education, filtering of phishing emails, and the use of anti-phishing toolbars, all designed to prevent users from accessing the phishing website where a consumer might divulge private information. Despite those efforts, a large number of phishing sites are created each year. The Anti-Phishing Working Group (“APWG”) reports that during the first half of 2008, 47,324 unique phishing sites (i.e. each site had a unique Universal Resource Locator or “URL”) were created to host an “attack” against a company, such as a financial institution. Of these sites 26,678 unique domain names and 3,389 unique numerical IP addresses were used. While some of these sites may exist for weeks, most are identified and shut down by adversely affected parties very quickly. In fact, according to APWG, the phishing websites reported in the first half of 2008 averaged a website lifespan of 49.5 hours with a median life existence time of 19.5 hours. Hence, phishing websites are transitory objects and must be newly created continuously to be effective for a phishing perpetrator.
Unfortunately, the process of shutting down a phishing website is difficult. A typical phishing incident response and investigation team receives in excess of 1 million potential phishing URLs each month which must be sorted, de-duplicated, confirmed, labeled, and referred for appropriate action. Typically, potential fraud URLs are reported from customers and vendors. These sets are reduced to unique URLs, sometimes using regular expressions or pattern matching to identify URLs which resolve to the same content. That list is then prepared in a “work queue,” where an incident response group manually reviews each site to determine whether it is committing fraud against a brand for which they are responsible. If the site is fraudulent and attacking a brand of interest, additional attributes of the site, such as whois information, the ASN or netblock of the hosting IP address, or the registrar used to register the site are determined. This information is then used to generate a communication to parties who are in a position to stop the fraudulent website from resolving within the DNS service. Some portions of this process may be automated, but any automated portions cannot begin until the reported URL is retrieved from a work queue and verified.
Once a phishing site has been identified and a communication transmitted to a party in a position to do something about its operation, such as for example a webmaster or webhosting company, their staff may “lock” or disable the hosting account, or change permissions to the offending content so that visitors cannot retrieve the content. An ISP may temporarily block internet access for the computer containing the offending content. Or, a registrar may remove name resolution services for the domain name, or may otherwise delete or disable the domain name.
As indicated above, the timeliness of the appropriate response is currently hindered mostly by the delay introduced by the need for human verification of the potentially offending website, which is often repeated multiple times by various parties all working toward a common identification process. Hence, the anti-spam, anti-phishing industry would benefit from having a trustworthy method for confirming phishing sites without the need for human intervention.